OUCH! Free Content gets hurt by enabled Ad Blockers

HP calls for collaboration on security

As more North American organizations admit their networks have been broken into, Hewlett-Packard Co. has issued a report calling for the IT industry to work together to improve cyber security.

“Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface,” Jacob West, HP’s chief technology officer for enterprise security products, said in a statement Monday. “The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace.”

In the latest incident BCE Inc.’s Bell Canada acknowledged on Sunday that over 22,000 user names and passwords and five credit card numbers of subscribers to its small business service were posted on the Internet by hackers who got into what was described as a third party’s IT system.

The total number of publicly disclosed vulnerabilities decreased by six per cent compared to 2012, the report said, while and the number of high-severity vulnerabilities declined for the fourth consecutive year, decreasing by 9 per cent.

However, HP doubts this is a real trend. “Although unquantifiable, the decline may be an indication as to a surge in vulnerabilities that are not publicly disclosed but rather delivered to the black market for private and/or nefarious consumption,” it says.

Inconsistent and varying definitions of “malware” complicate risk analysis. In an examination of more than 500,000 mobile applications for Android, HP found major discrepancies between how antivirus engines and mobile platform vendors classify malware;

Forty-six per cent of mobile applications studied use encryption improperly. HP research shows that mobile developers often fail to use encryption when storing sensitive data on mobile devices, rely on weak algorithms to do so, or misuse stronger encryption capabilities, rendering them ineffective.

Microsoft’s Internet Explorer browser was the software most targeted by HP Zero Day Initiative vulnerability researchers in 2013, and accounted for more than 50 per centof vulnerabilities acquired by the program. The ZDI program rewards researchers for responsibly disclosing vulnerabilities. HP notes that bug hunters may have focused on Microsoft vulnerabilities, so the number doesn’t reflect on the overall security of Internet Explorer;

Sandbox bypass vulnerabilities were the most prevalent and damaging for Java users. Adversaries significantly escalated their exploitation of Java by simultaneously targeting multiple known (and zero day) vulnerabilities in combined attacks to compromise specific targets of interest.

HP [NYSE: HPQ] urges organizations and developers to be aware of security pitfalls in frameworks and other third-party code, particularly for hybrid mobile development platforms. “Robust security guidelines must be enacted to protect the integrity of applications and the privacy of users,” it says.

“While it is impossible to eliminate the attack surface without sacrificing functionality, a combination of the right people, processes and technology does allow organizations to effectively minimize the vulnerabilities surrounding it and dramatically reduce overall risk.”

Related Download Sponsor: Cogeco Peer 1 CanadianCIO Census 2016 Mapping Out the Innovation Agenda The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead. Register Now

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.